turifungia, one of our community members kindly submitted an access permission vulnerability in Ninja Super Submit. The component did not sanitize the passed in variable Itemid.
This is not really a security leak, because the administrator of a site can configure, if a user group is permitted to automatic publish submitted content. But if the component menu entry was set to any user group above 'Public', the component did not check permissions. While fixing this issue I also added NinjACL compatibility.
We've to thank you very much for your report turifungia.
Notes:
Users who already have the release candidate 2 installed, only need to replace one file.
~/components/com_super_submit/super_submit.php
All other versions have to be reinstalled, because in RC2 have been made important changes!
Best Regards
Uwe Walter
XML Feeds
No feedback yet
Leave a comment